Hijacking this bug for all the other security-related bug fixes.
-r2 will hit the tree in the near future (maybe it'll take a few days), containing these fixes:
#1 safe_mode bypass by prepending http:// to paths (see initial description
of this bug + securityreason advisories)
#2 Bug 221969 (insecure c-client api calls allow for buffer overflows)
This IMO allows for local code execution (as such bypassing safe_mode etc.)
and maybe eben remote code execution when processing specially-crafted mails.
#3 Crash in stream_context_set_params()
#4 Crash in class PDORow
Commit msg: "Add check for avoid segfault when trying instantiate
#5 Crash (double free) in Dom->setAttributeNode
Commit msg: "fixed bug #45251 (double free or corruption with
#6 Crash in array functions under certain circumstances
Commit msg: "Fixed bug #45312 (Segmentation fault on second request for
Only #2 looks a bit more serious to me, the others are just crashes or safe_mode bypasses.
There is no fix for issue #1, I'll bug upstream...
JFYI, issue #1 does not seem to be reproducible when enabling safe_mode via CLI (i.e. php -d safe_mode=on). It seems to work as expected in this case. If you want to reproduce it, use real files. :)
Ignore comment #1, we'll handle the other issues in bug 230575.
Initial issue still unfixed, I've got a patch which needs some testing and an OK from upstream.
I proposed two patches and have further discussed this issue with Felipe Pena from upstream. My fix got committed , so I'm going to include it in our next patchset revision.
I'll wait some days to see if this causes some unwanted false positive safe_mode warnings though.
GLSA 200811-05, thanks everyone, especially hoffie.